a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster/**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * opensso/legal/CDDLv1.0.txt
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * at opensso/legal/CDDLv1.0.txt.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: SPSSOFederate.java,v 1.29 2009/11/24 21:53:28 madan_ranganath Exp $
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper * Portions Copyrighted 2011-2015 ForgeRock AS.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterpackage com.sun.identity.saml2.profile;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.federation.common.FSUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.paos.PAOSConstants;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.liberty.ws.paos.PAOSException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.paos.PAOSHeader;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.paos.PAOSRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.common.SAMLUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.xmlsig.KeyProvider;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.AssertionFactory;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.Issuer;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.common.QuerySignatureUtil;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.common.SAML2Constants;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.common.SAML2Exception;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.common.SAML2FailoverUtils;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.common.SAML2Utils;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.common.SOAPCommunicator;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.ecp.ECPFactory;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.ecp.ECPRelayState;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.ecp.ECPRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.AffiliationDescriptorType;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.AssertionConsumerServiceElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.SingleSignOnServiceElement;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.key.KeyUtil;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.logging.LogUtil;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaUtils;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.plugins.SAML2IDPFinder;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.plugins.SPAuthnContextMapper;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.protocol.AuthnRequest;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.protocol.Extensions;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.protocol.GetComplete;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.IDPEntry;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.IDPList;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.protocol.NameIDPolicy;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.protocol.ProtocolFactory;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.protocol.RequestedAuthnContext;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.protocol.Scoping;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.shared.datastruct.OrderedSet;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.shared.encode.URLEncDec;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.shared.xml.XMLUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.io.IOException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.io.OutputStream;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.security.PrivateKey;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport java.util.ArrayList;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport java.util.Collection;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.Date;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.Iterator;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.List;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport java.util.Map;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport java.util.logging.Level;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport javax.servlet.http.HttpServletRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport javax.servlet.http.HttpServletResponse;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport javax.xml.soap.SOAPException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport javax.xml.soap.SOAPMessage;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException;
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Lunaimport org.forgerock.openam.saml2.audit.SAML2EventLogger;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster/**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This class reads the query parameters and performs the required
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * processing logic for sending Authentication Request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * from SP to IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterpublic class SPSSOFederate {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static SAML2MetaManager sm = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sm = new SAML2MetaManager();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (SAML2MetaException sme) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPSSOFederate: Error retreiving metadata"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ,sme);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Parses the request parameters and builds the Authentication
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Request to sent to the IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request the HttpServletRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response the HttpServletResponse.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param metaAlias metaAlias to locate the service providers.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idpEntityID entityID of Identity Provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param paramsMap Map of all other parameters.The key in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * map are of the type String. The values in the paramsMap
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * are of the type List.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Some of the possible keys are:RelayState,NameIDFormat,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * reqBinding, binding, AssertionConsumerServiceIndex,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AttributeConsumingServiceIndex (currently not supported),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * isPassive, ForceAuthN, AllowCreate, Destination,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AuthnContextDeclRef, AuthnContextClassRef,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AuthComparison, Consent (currently not supported),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AuthLevel, and sunamcompositeadvice.
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Luna * @param auditor the SAML2EventLogger to use to log the saml request - may be null
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAML2Exception if error initiating request to IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Luna public static void initiateAuthnRequest(final HttpServletRequest request,
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Luna final HttpServletResponse response,
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Luna final String metaAlias,
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Luna final String idpEntityID,
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Luna final Map paramsMap,
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Luna final SAML2EventLogger auditor) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get the sp entity ID from the metaAlias
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings String spEntityID = getSPEntityId(metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SAML2Utils.debug.message("SPSSOFederate : spEntityID is :" + spEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate realm is :" + realm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Luna initiateAuthnRequest(request, response, spEntityID, idpEntityID, realm, paramsMap, auditor);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (SAML2MetaException sme) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SAML2Utils.debug.error("SPSSOFederate: Error retreiving spEntityID from MetaAlias",sme);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings throw new SAML2Exception(SAML2Utils.bundle.getString("metaAliasError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings /**
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Gets the SP Entity ID from the metaAlias.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings *
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param metaAlias the metaAlias String
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @return the EntityId of the SP from the meta Alias
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @throws SAML2MetaException if there was a problem extracting
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings */
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings public static String getSPEntityId(String metaAlias) throws SAML2MetaException {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings return sm.getEntityByMetaAlias(metaAlias);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings }
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Parses the request parameters and builds the Authentication
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Request to sent to the IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request the HttpServletRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response the HttpServletResponse.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param spEntityID entityID of Service Provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idpEntityID entityID of Identity Provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param paramsMap Map of all other parameters.The key in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * map are the parameter names of the type String.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The values in the paramsMap are of the type List.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Some of the possible keys are:RelayState,NameIDFormat,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * reqBinding, binding, AssertionConsumerServiceIndex,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AttributeConsumingServiceIndex (currently not supported),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * isPassive, ForceAuthN, AllowCreate, Destination,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AuthnContextDeclRef, AuthnContextClassRef,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AuthComparison, Consent (currently not supported),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AuthLevel, and sunamcompositeadvice.
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Luna * @param auditor the auditor for logging SAML2 Events - may be null
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAML2Exception if error initiating request to IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Luna private static void initiateAuthnRequest(
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Luna final HttpServletRequest request, final HttpServletResponse response, final String spEntityID,
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Luna final String idpEntityID, final String realmName, final Map paramsMap, final SAML2EventLogger auditor)
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (FSUtils.needSetLBCookieAndRedirect(request, response, false)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (spEntityID == null) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SAML2Utils.debug.error("SPSSOFederate:Service Provider ID is missing.");
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings String[] data = { spEntityID };
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings LogUtil.error(Level.INFO, LogUtil.INVALID_SP, data, null);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings throw new SAML2Exception(SAML2Utils.bundle.getString("nullSPEntityID"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (idpEntityID == null) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SAML2Utils.debug.error("SPSSOFederate: Identity Provider ID is missing .");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { idpEntityID };
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings LogUtil.error(Level.INFO, LogUtil.INVALID_IDP, data, null);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings throw new SAML2Exception(SAML2Utils.bundle.getString("nullIDPEntityID"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings String binding = getParameter(paramsMap, SAML2Constants.REQ_BINDING);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (binding == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster binding = SAML2Constants.HTTP_REDIRECT;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate: in initiateSSOFed");
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SAML2Utils.debug.message("SPSSOFederate: spEntityID is : " + spEntityID);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SAML2Utils.debug.message("SPSSOFederate: idpEntityID : " + idpEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm = getRealm(realmName);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Retreive MetaData
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (sm == null) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings throw new SAML2Exception(SAML2Utils.bundle.getString("errorMetaManager"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings Map spConfigAttrsMap = getAttrsMapForAuthnReq(realm, spEntityID);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get SPSSODescriptor
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SPSSODescriptorElement spsso = getSPSSOForAuthnReq(realm, spEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (spsso == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { spEntityID };
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings LogUtil.error(Level.INFO, LogUtil.SP_METADATA_ERROR, data, null);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings List extensionsList = getExtensionsList(spEntityID, realm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get IDP Descriptor
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings IDPSSODescriptorElement idpsso = getIDPSSOForAuthnReq(realm, idpEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (idpsso == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { idpEntityID };
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, data, null);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List ssoServiceList = idpsso.getSingleSignOnService();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String ssoURL = getSSOURL(ssoServiceList, binding);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (ssoURL == null || ssoURL.length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { idpEntityID };
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings LogUtil.error(Level.INFO, LogUtil.SSO_NOT_FOUND, data, null);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings throw new SAML2Exception(SAML2Utils.bundle.getString("ssoServiceNotfound"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // create AuthnRequest
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings AuthnRequest authnRequest = createAuthnRequest(realm, spEntityID, paramsMap, spConfigAttrsMap,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings extensionsList, spsso, idpsso, ssoURL, false);
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Luna if (null != auditor && null != authnRequest) {
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Luna auditor.setRequestId(authnRequest.getID());
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Luna }
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Luna
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SP Adapter class if registered
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SAML2ServiceProviderAdapter spAdapter = SAML2Utils.getSPAdapterClass(spEntityID, realmName);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (spAdapter != null) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings spAdapter.preSingleSignOnRequest(spEntityID, idpEntityID, realmName, request, response, authnRequest);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings String authReqXMLString = authnRequest.toXMLString(true, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SAML2Utils.debug.message("SPSSOFederate: AuthnRequest:" + authReqXMLString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Default URL if relayState not present? in providerConfig?
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // TODO get Default URL from metadata
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings String relayState = getParameter(paramsMap, SAML2Constants.RELAY_STATE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Validate the RelayState URL.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SAML2Utils.validateRelayStateURL(realm, spEntityID, relayState, SAML2Constants.SP_ROLE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // check if relayState is present and get the unique
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // id which will be appended to the SSO URL before
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // redirecting.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String relayStateID = null;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings if (relayState != null && relayState.length() > 0) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings relayStateID = getRelayStateID(relayState, authnRequest.getID());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings if (binding.equals(SAML2Constants.HTTP_POST)) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings String encodedReqMsg = getPostBindingMsg(idpsso, spsso, spConfigAttrsMap, authnRequest);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SAML2Utils.postToTarget(request, response, "SAMLRequest", encodedReqMsg, "RelayState", relayStateID, ssoURL);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings } else {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings String redirect = getRedirect(authReqXMLString, relayStateID, ssoURL, idpsso, spsso, spConfigAttrsMap);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings response.sendRedirect(redirect);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { ssoURL };
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings LogUtil.access(Level.INFO, LogUtil.REDIRECT_TO_IDP, data, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AuthnRequestInfo reqInfo =
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings new AuthnRequestInfo(request, response, realm, spEntityID,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings idpEntityID, authnRequest, relayState, paramsMap);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster synchronized(SPCache.requestHash) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPCache.requestHash.put(authnRequest.getID(),reqInfo);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // sessionExpireTime is counted in seconds
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper long sessionExpireTime = System.currentTimeMillis() / 1000 + SPCache.interval;
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper String key = authnRequest.getID();
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper try {
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(key, new AuthnRequestInfoCopy(reqInfo), sessionExpireTime);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper if (SAML2Utils.debug.messageEnabled()) {
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2Utils.debug.message("SPSSOFederate.initiateAuthnRequest:"
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper + " SAVE AuthnRequestInfoCopy for requestID " + key);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper }
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper } catch (SAML2TokenRepositoryException e) {
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2Utils.debug.error("SPSSOFederate.initiateAuthnRequest: There was a problem saving the " +
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper "AuthnRequestInfoCopy in the SAML2 Token Repository for requestID " + key, e);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (IOException ioe) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPSSOFederate: Exception :",ioe);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper throw new SAML2Exception(SAML2Utils.bundle.getString("errorCreatingAuthnRequest"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (SAML2MetaException sme) {
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2Utils.debug.error("SPSSOFederate:Error retrieving metadata", sme);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings /**
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Gets the redirect String.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings *
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param authReqXMLString Auth Request XML.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param relayStateID the id of the relay state
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param ssoURL the url for the reidrect
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param idpsso the idp descriptor to use
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param spsso the sp descriptor to use
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param spConfigAttrsMap the sp configuration details
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @return a String to use for the redirect request.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @throws SAML2Exception if there is a problem creating the redirect string
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings */
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings public static String getRedirect(String authReqXMLString, String relayStateID, String ssoURL,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings IDPSSODescriptorElement idpsso, SPSSODescriptorElement spsso, Map spConfigAttrsMap)
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings throws SAML2Exception {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings // encode the xml string
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings String encodedXML = SAML2Utils.encodeForRedirect(authReqXMLString);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings StringBuilder queryString = new StringBuilder();
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings queryString.append(SAML2Constants.SAML_REQUEST).append(SAML2Constants.EQUAL).append(encodedXML);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings if ((relayStateID != null) && (relayStateID.length() > 0)) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings queryString.append("&").append(SAML2Constants.RELAY_STATE)
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings .append("=")
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings .append(URLEncDec.encode(relayStateID));
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings }
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings StringBuilder redirectURL =
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings new StringBuilder().append(ssoURL).append(ssoURL.contains("?") ? "&" : "?");
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings // sign the query string
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings if (idpsso.isWantAuthnRequestsSigned() || spsso.isAuthnRequestsSigned()) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings String certAlias = getParameter(spConfigAttrsMap, SAML2Constants.SIGNING_CERT_ALIAS);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings String signedQueryStr = signQueryString(queryString.toString(), certAlias);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings redirectURL.append(signedQueryStr);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings } else {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings redirectURL.append(queryString);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings }
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings return redirectURL.toString();
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings }
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings /**
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Gets the SP SSO Descriptor for the given sp entity id in the given realm.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings *
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param realm the realm the sp is configured in
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param spEntityID the entity id of the sp to get the Descriptor for
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @return the SPSSODescriptorElement for the requested sp entity
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @throws SAML2MetaException if there is a problem looking up the SPSSODescriptorElement.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings */
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings public static SPSSODescriptorElement getSPSSOForAuthnReq(String realm, String spEntityID)
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings throws SAML2MetaException {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings return sm.getSPSSODescriptor(realm, spEntityID);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings }
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings /**
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Gets the Configuration attributes for the given sp entity id in the given realm.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param realm the realm the sp is configured in
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param spEntityID the entity id of the sp to get the attributes map for
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @return a map of SAML2 Attributes with String keys mapped to a collection of values
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @throws SAML2MetaException
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings */
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings public static Map<String, Collection<String>> getAttrsMapForAuthnReq(String realm, String spEntityID)
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings throws SAML2MetaException {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SPSSOConfigElement spEntityCfg = sm.getSPSSOConfig(realm, spEntityID);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings Map spConfigAttrsMap = null;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings if (spEntityCfg != null) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings spConfigAttrsMap = SAML2MetaUtils.getAttributes(spEntityCfg);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings }
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings return spConfigAttrsMap;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings }
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings /**
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Gets the IDP SSO Descriptor for the given sp entity id in the given realm.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings *
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param realm the realm the idp is configured in
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param idpEntityID the entity id of the idp[ to get the Descriptor for
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @return the SPSSODescriptorElement for the requested idp entity
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @throws SAML2MetaException if there is a problem looking up the IDPSSODescriptorElement.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings */
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings public static IDPSSODescriptorElement getIDPSSOForAuthnReq(String realm, String idpEntityID)
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings throws SAML2MetaException {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings return sm.getIDPSSODescriptor(realm, idpEntityID);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings }
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings /**
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Gets the Post Binding message
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings *
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param idpsso
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param spsso
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param spConfigAttrsMap
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param authnRequest
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @return
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @throws SAML2Exception
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings */
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings public static String getPostBindingMsg(IDPSSODescriptorElement idpsso, SPSSODescriptorElement spsso,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings Map spConfigAttrsMap, AuthnRequest authnRequest)
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings throws SAML2Exception {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings if (idpsso.isWantAuthnRequestsSigned() || spsso.isAuthnRequestsSigned()) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings String certAlias = getParameter(spConfigAttrsMap, SAML2Constants.SIGNING_CERT_ALIAS);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings signAuthnRequest(certAlias, authnRequest);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings }
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings String authXMLString = authnRequest.toXMLString(true, true);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings if (SAML2Utils.debug.messageEnabled()) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SAML2Utils.debug.message("SPSSOFederate.initiateAuthnRequest: SAML Response content :\n" + authXMLString);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings }
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings return SAML2Utils.encodeForPOST(authXMLString);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings }
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Parses the request parameters and builds ECP Request to sent to the IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request the HttpServletRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response the HttpServletResponse.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAML2Exception if error creating AuthnRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws IOException if error sending AuthnRequest to ECP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void initiateECPRequest(HttpServletRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletResponse response)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throws SAML2Exception, IOException {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!isFromECP(request)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "invalid HTTP request from ECP.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.sendError(request, response,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletResponse.SC_BAD_REQUEST,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "invalidHttpRequestFromECP",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("invalidHttpRequestFromECP"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String metaAlias = request.getParameter("metaAlias");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map paramsMap = SAML2Utils.getParamsMap(request);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get the sp entity ID from the metaAlias
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String spEntityID = sm.getEntityByMetaAlias(metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm = getRealm(SAML2MetaUtils.getRealmByMetaAlias(metaAlias));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate.initiateECPRequest: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "spEntityID is " + spEntityID + ", realm is " + realm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Retreive MetaData
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (sm == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("errorMetaManager"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPSSOConfigElement spEntityCfg =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sm.getSPSSOConfig(realm,spEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map spConfigAttrsMap=null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (spEntityCfg != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spConfigAttrsMap = SAML2MetaUtils.getAttributes(spEntityCfg);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get SPSSODescriptor
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPSSODescriptorElement spsso =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sm.getSPSSODescriptor(realm,spEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (spsso == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { spEntityID };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(Level.INFO,LogUtil.SP_METADATA_ERROR,data, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("metaDataError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { spEntityID, realm };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(Level.INFO, LogUtil.RECEIVED_HTTP_REQUEST_ECP, data,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings List extensionsList = getExtensionsList(spEntityID, realm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // create AuthnRequest
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AuthnRequest authnRequest = createAuthnRequest(realm, spEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster paramsMap, spConfigAttrsMap, extensionsList, spsso, null, null,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SP Adapter class if registered
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2ServiceProviderAdapter spAdapter =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.getSPAdapterClass(spEntityID, realm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (spAdapter != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spAdapter.preSingleSignOnRequest(spEntityID, realm, null,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster request, response, authnRequest);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String alias = SAML2Utils.getSigningCertAlias(realm, spEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.SP_ROLE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster PrivateKey signingKey =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster KeyUtil.getKeyProviderInstance().getPrivateKey(alias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (signingKey != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnRequest.sign(signingKey, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Unable to find signing key.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("metaDataError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ECPFactory ecpFactory = ECPFactory.getInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Default URL if relayState not present? in providerConfig?
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // TODO get Default URL from metadata
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String relayState = getParameter(paramsMap,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.RELAY_STATE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String ecpRelayStateXmlStr = "";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (relayState != null && relayState.length()> 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String relayStateID = getRelayStateID(relayState,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnRequest.getID());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ECPRelayState ecpRelayState = ecpFactory.createECPRelayState();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ecpRelayState.setValue(relayStateID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ecpRelayState.setMustUnderstand(Boolean.TRUE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ecpRelayState.setActor(SAML2Constants.SOAP_ACTOR_NEXT);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ecpRelayStateXmlStr = ecpRelayState.toXMLString(true, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ECPRequest ecpRequest = ecpFactory.createECPRequest();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ecpRequest.setIssuer(createIssuer(spEntityID));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ecpRequest.setMustUnderstand(Boolean.TRUE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ecpRequest.setActor(SAML2Constants.SOAP_ACTOR_NEXT);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ecpRequest.setIsPassive(authnRequest.isPassive());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2IDPFinder ecpIDPFinder =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.getECPIDPFinder(realm, spEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (ecpIDPFinder != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List idps = ecpIDPFinder.getPreferredIDP(authnRequest,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spEntityID, realm, request, response);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((idps != null) && (!idps.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2MetaManager saml2MetaManager =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.getSAML2MetaManager();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List idpEntries = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster for(Iterator iter = idps.iterator(); iter.hasNext();) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String idpEntityID = (String)iter.next();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPSSODescriptorElement idpDesc = saml2MetaManager
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster .getIDPSSODescriptor(realm, idpEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (idpDesc != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPEntry idpEntry = ProtocolFactory.getInstance()
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster .createIDPEntry();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpEntry.setProviderID(idpEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String description =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.getAttributeValueFromSSOConfig(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster realm, idpEntityID, SAML2Constants.IDP_ROLE,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.ENTITY_DESCRIPTION);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpEntry.setName(description);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List ssoServiceList =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpDesc.getSingleSignOnService();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String ssoURL = getSSOURL(ssoServiceList,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.SOAP);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpEntry.setLoc(ssoURL);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (idpEntries == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpEntries = new ArrayList();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpEntries.add(idpEntry);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (idpEntries != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPList idpList = ProtocolFactory.getInstance()
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster .createIDPList();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpList.setIDPEntries(idpEntries);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ecpRequest.setIDPList(idpList);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map attrs = SAML2MetaUtils.getAttributes(spEntityCfg);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List values = (List)attrs.get(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.ECP_REQUEST_IDP_LIST_GET_COMPLETE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((values != null) && (!values.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster GetComplete getComplete =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ProtocolFactory.getInstance()
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster .createGetComplete();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster getComplete.setValue((String)values.get(0));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpList.setGetComplete(getComplete);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String paosRequestXmlStr = "";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster PAOSRequest paosRequest = new PAOSRequest(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnRequest.getAssertionConsumerServiceURL(),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.PAOS_ECP_SERVICE, null, Boolean.TRUE,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.SOAP_ACTOR_NEXT);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster paosRequestXmlStr = paosRequest.toXMLString(true, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (PAOSException paosex) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest:",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster paosex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(paosex.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String header = paosRequestXmlStr +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ecpRequest.toXMLString(true, true) + ecpRelayStateXmlStr;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String body = authnRequest.toXMLString(true, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SOAPMessage reply = SOAPCommunicator.getInstance().createSOAPMessage(header, body,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings false);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data2 = { spEntityID, realm, "" };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (LogUtil.isAccessLoggable(Level.FINE)) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings data2[2] = SOAPCommunicator.getInstance().soapMessageToString(reply);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(Level.INFO, LogUtil.SEND_ECP_PAOS_REQUEST, data2,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Need to call saveChanges because we're
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // going to use the MimeHeaders to set HTTP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // response information. These MimeHeaders
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // are generated as part of the save.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (reply.saveRequired()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster reply.saveChanges();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster response.setStatus(HttpServletResponse.SC_OK);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.putHeaders(reply.getMimeHeaders(), response);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster response.setContentType(PAOSConstants.PAOS_MIME_TYPE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Write out the message on the response stream
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster OutputStream os = response.getOutputStream();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster reply.writeTo(os);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster os.flush();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (SOAPException soapex) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster soapex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data3 = { spEntityID, realm };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(Level.INFO, LogUtil.SEND_ECP_PAOS_REQUEST_FAILED,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster data3, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLUtils.sendError(request, response,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "soapError", soapex.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AuthnRequestInfo reqInfo =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new AuthnRequestInfo(request,response,realm,spEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster null, authnRequest,relayState,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster paramsMap);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster synchronized(SPCache.requestHash) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPCache.requestHash.put(authnRequest.getID(),reqInfo);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // sessionExpireTime is counted in seconds
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper long sessionExpireTime = System.currentTimeMillis() / 1000 + SPCache.interval;
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper String key = authnRequest.getID();
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper try {
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(key, new AuthnRequestInfoCopy(reqInfo), sessionExpireTime);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper if (SAML2Utils.debug.messageEnabled()) {
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2Utils.debug.message("SPSSOFederate.initiateECPRequest:"
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper + " SAVE AuthnRequestInfoCopy for requestID " + key);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper }
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper } catch (SAML2TokenRepositoryException e) {
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest: There was a problem saving the " +
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper "AuthnRequestInfoCopy in the SAML2 Token Repository for requestID " + key, e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (SAML2MetaException sme) {
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2Utils.debug.error("SPSSOFederate:Error retrieving metadata" ,sme);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Checks if the request is from ECP.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings *
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request the HttpServletRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return true if the request is from ECP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static boolean isFromECP(HttpServletRequest request) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster PAOSHeader paosHeader = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster paosHeader = new PAOSHeader(request);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (PAOSException pex) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate.initiateECPRequest:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "no PAOS header");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map svcOpts = paosHeader.getServicesAndOptions();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((svcOpts == null) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (!svcOpts.containsKey(SAML2Constants.PAOS_ECP_SERVICE))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate.initiateECPRequest:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "PAOS header doesn't contain ECP service");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String acceptHeader = request.getHeader("Accept");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (acceptHeader == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return (acceptHeader.indexOf(PAOSConstants.PAOS_MIME_TYPE) != -1);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /* Create NameIDPolicy Element */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static NameIDPolicy createNameIDPolicy(String spEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String format, boolean allowCreate, SPSSODescriptorElement spsso,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPSSODescriptorElement idpsso, String realm, Map paramsMap)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster format = SAML2Utils.verifyNameIDFormat(format, spsso, idpsso);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameIDPolicy nameIDPolicy =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ProtocolFactory.getInstance().createNameIDPolicy();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String affiliationID = getParameter(paramsMap,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.AFFILIATION_ID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (affiliationID != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AffiliationDescriptorType affiDesc =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sm.getAffiliationDescriptor(realm, affiliationID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (affiDesc == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "affiliationNotFound"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!affiDesc.getAffiliateMember().contains(spEntityID)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "spNotAffiliationMember"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameIDPolicy.setSPNameQualifier(affiliationID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameIDPolicy.setSPNameQualifier(spEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameIDPolicy.setAllowCreate(allowCreate);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameIDPolicy.setFormat(format);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return nameIDPolicy;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /* Create Issuer */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static Issuer createIssuer(String spEntityID)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Issuer issuer = AssertionFactory.getInstance().createIssuer();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster issuer.setValue(spEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return issuer;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings /**
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Create an AuthnRequest.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings *
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param realmName the authentication realm for this request
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param spEntityID the entity id for the service provider
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param paramsMap the map of parameters for the authentication request
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param spConfigMap the configuration map for the service provider
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param extensionsList a list of extendsions for the authentication request
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param spsso the SPSSODescriptorElement for theservcie provider
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param idpsso the IDPSSODescriptorElement for the identity provider
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param ssourl the url for the single sign on request
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param isForECP boolean to indicatge if the request originated from an ECP
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @return a new AuthnRequest object
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @throws SAML2Exception
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings */
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings public static AuthnRequest createAuthnRequest(final String realmName,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings final String spEntityID,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings final Map paramsMap,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings final Map spConfigMap,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings final List extensionsList,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings final SPSSODescriptorElement spsso,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings final IDPSSODescriptorElement idpsso,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings final String ssourl,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings final boolean isForECP) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // generate unique request ID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String requestID = SAML2Utils.generateID();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((requestID == null) || (requestID.length() == 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("cannotGenerateID"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // retrieve data from the params map and if not found get
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // default values from the SPConfig Attributes
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // destinationURI required if message is signed.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String destinationURI= getParameter(paramsMap,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.DESTINATION);
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper Boolean isPassive = doPassive(paramsMap, spConfigMap);
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper Boolean isforceAuthn = isForceAuthN(paramsMap, spConfigMap);
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper boolean allowCreate = isAllowCreate(paramsMap, spConfigMap);
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper boolean includeRequestedAuthnContextFlag = includeRequestedAuthnContext(paramsMap, spConfigMap);
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String consent = getParameter(paramsMap,SAML2Constants.CONSENT);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Extensions extensions = createExtensions(extensionsList);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String nameIDPolicyFormat = getParameter(paramsMap,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.NAMEID_POLICY_FORMAT);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get NameIDPolicy Element
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameIDPolicy nameIDPolicy = createNameIDPolicy(spEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameIDPolicyFormat, allowCreate, spsso, idpsso, realmName,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster paramsMap);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Issuer issuer = createIssuer(spEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Integer acsIndex = getIndex(paramsMap,SAML2Constants.ACS_URL_INDEX);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Integer attrIndex = getIndex(paramsMap,SAML2Constants.ATTR_INDEX);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String protocolBinding = isForECP ? SAML2Constants.PAOS :
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster getParameter(paramsMap, "binding");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster OrderedSet acsSet = getACSUrl(spsso,protocolBinding);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String acsURL = (String) acsSet.get(0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protocolBinding = (String)acsSet.get(1);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!SAML2Utils.isSPProfileBindingSupported(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster realmName, spEntityID, SAML2Constants.ACS_SERVICE,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protocolBinding))
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPSSOFederate.createAuthnRequest:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protocolBinding +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "is not supported for " + spEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { spEntityID, protocolBinding };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Level.INFO, LogUtil.BINDING_NOT_SUPPORTED, data, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("unsupportedBinding"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AuthnRequest authnReq =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ProtocolFactory.getInstance().createAuthnRequest();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!isForECP) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((destinationURI == null) || (destinationURI.length() == 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnReq.setDestination(XMLUtils.escapeSpecialCharacters(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ssourl));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnReq.setDestination(XMLUtils.escapeSpecialCharacters(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster destinationURI));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnReq.setConsent(consent);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnReq.setIsPassive(isPassive);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnReq.setForceAuthn(isforceAuthn);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnReq.setAttributeConsumingServiceIndex(attrIndex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnReq.setAssertionConsumerServiceIndex(acsIndex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnReq.setAssertionConsumerServiceURL(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster XMLUtils.escapeSpecialCharacters(acsURL));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnReq.setProtocolBinding(protocolBinding);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnReq.setIssuer(issuer);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnReq.setNameIDPolicy(nameIDPolicy);
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper if (includeRequestedAuthnContextFlag) {
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper authnReq.setRequestedAuthnContext(createReqAuthnContext(realmName, spEntityID, paramsMap, spConfigMap));
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (extensions != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnReq.setExtensions(extensions);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Required attributes in authn request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnReq.setID(requestID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnReq.setVersion(SAML2Constants.VERSION_2_0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnReq.setIssueInstant(new Date());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //IDP Proxy
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Boolean enableIDPProxy =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster getAttrValueFromMap(spConfigMap,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.ENABLE_IDP_PROXY);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((enableIDPProxy != null) && enableIDPProxy.booleanValue())
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Scoping scoping =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ProtocolFactory.getInstance().createScoping();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String proxyCountParam = getParameter(spConfigMap,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.IDP_PROXY_COUNT);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (proxyCountParam != null && (!proxyCountParam.equals(""))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster scoping.setProxyCount(new Integer(proxyCountParam));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List proxyIDPs = (List) spConfigMap.get(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.IDP_PROXY_LIST);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (proxyIDPs != null && !proxyIDPs.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Iterator iter = proxyIDPs.iterator();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ArrayList list = new ArrayList();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster while(iter.hasNext()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPEntry entry = ProtocolFactory.getInstance().
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster createIDPEntry();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster entry.setProviderID((String)iter.next());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster list.add(entry);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPList idpList = ProtocolFactory.getInstance().
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster createIDPList();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster idpList.setIDPEntries(list);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster scoping.setIDPList(idpList);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnReq.setScoping(scoping);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return authnReq;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings /**
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Returns value of an boolean parameter in the SP SSO Config.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param attrMap the map of attributes for the sso config
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param attrName the key to get the boolean value for
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @return the value of the parameter in the sso config or null if the attribute was not found or was
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * not a boolean parameter
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings */
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings public static Boolean getAttrValueFromMap(final Map attrMap, final String attrName) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Boolean boolVal = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (attrMap!=null && attrMap.size()> 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attrVal = getParameter(attrMap,attrName);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((attrVal != null)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster && ( (attrVal.equals(SAML2Constants.TRUE))
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster || (attrVal.equals(SAML2Constants.FALSE)))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolVal = new Boolean(attrVal);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return boolVal;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings /**
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Returns the SingleSignOnService URL.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings *
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param ssoServiceList list of sso services
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param binding binding of the sso service to get the url for
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @return a string url for the sso service
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings */
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings public static String getSSOURL(List ssoServiceList, String binding) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String ssoURL = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((ssoServiceList != null) && (!ssoServiceList.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Iterator i = ssoServiceList.iterator();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster while (i.hasNext()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SingleSignOnServiceElement sso =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (SingleSignOnServiceElement) i.next();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((sso != null && sso.getBinding()!=null) &&
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (sso.getBinding().equals(binding))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ssoURL = sso.getLocation();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster break;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " SingleSignOnService URL :"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + ssoURL);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return ssoURL;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /**
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns an Ordered Set containing the AssertionConsumerServiceURL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * and AssertionConsumerServiceIndex.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static OrderedSet getACSUrl(SPSSODescriptorElement spsso,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String binding) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String responseBinding = binding;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((binding != null) && (binding.length() > 0) &&
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (binding.indexOf(SAML2Constants.BINDING_PREFIX) == -1)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster responseBinding =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new StringBuffer().append(SAML2Constants.BINDING_PREFIX)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster .append(binding).toString();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List acsList = spsso.getAssertionConsumerService();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String acsURL=null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (acsList != null && !acsList.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Iterator ac = acsList.iterator();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster while (ac.hasNext()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AssertionConsumerServiceElement ace =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (AssertionConsumerServiceElement) ac.next();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((ace != null && ace.isIsDefault()) &&
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (responseBinding == null || responseBinding.length() ==0 )) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster acsURL = ace.getLocation();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster responseBinding = ace.getBinding();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster break;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else if ((ace != null) &&
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (ace.getBinding().equals(responseBinding))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster acsURL = ace.getLocation();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster break;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster OrderedSet ol = new OrderedSet();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ol.add(acsURL);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ol.add(responseBinding);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate: AssertionConsumerService :"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " URL :" + acsURL);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate: AssertionConsumerService :"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " Binding Passed in Query: " + binding);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate: AssertionConsumerService :"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " Binding : " + responseBinding);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return ol;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings /**
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Fills in the realm with the default top level realm if it does not contain a more specific subrealm.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * i.e. if it is null or empty it becomes "/"
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param realm the current realm
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @return the realm to use
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings */
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings public static String getRealm(final String realm) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return ((realm == null) || (realm.length() == 0)) ? "/" : realm;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings /**
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Gets isPassive attribute from the config map and parameters map.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings *
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param paramsMap the map of the parameters
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param spConfigAttrsMap the map of the configuration
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @return boolean to indicate if the request should be passive
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static Boolean doPassive(Map paramsMap,Map spConfigAttrsMap){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get isPassive
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Boolean isPassive=Boolean.FALSE;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String isPassiveStr =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster getParameter(paramsMap,SAML2Constants.ISPASSIVE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((isPassiveStr != null) &&
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ((isPassiveStr.equals(SAML2Constants.TRUE) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (isPassiveStr.equals(SAML2Constants.FALSE))))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster isPassive = new Boolean(isPassiveStr);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster isPassive = getAttrValueFromMap(spConfigAttrsMap,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.ISPASSIVE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate: isPassive : " + isPassive);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return (isPassive == null) ? Boolean.FALSE : isPassive;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /* Returns value of ForceAuthn */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static Boolean isForceAuthN(Map paramsMap,Map spConfigAttrsMap) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings Boolean isforceAuthn;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String forceAuthn = getParameter(paramsMap,SAML2Constants.FORCEAUTHN);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((forceAuthn != null) &&
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ((forceAuthn.equals(SAML2Constants.TRUE) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (forceAuthn.equals(SAML2Constants.FALSE))))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster isforceAuthn = new Boolean(forceAuthn);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster isforceAuthn = getAttrValueFromMap(spConfigAttrsMap,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.FORCEAUTHN);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate:ForceAuthn: " + forceAuthn);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return (isforceAuthn == null) ? Boolean.FALSE : isforceAuthn;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /* get value of AllowCreate */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static boolean isAllowCreate(Map paramsMap,Map spConfigAttrsMap) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //assuming default true?
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean allowCreate=true;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String allowCreateStr=getParameter(paramsMap,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.ALLOWCREATE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((allowCreateStr != null) &&
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ((allowCreateStr.equals(SAML2Constants.TRUE) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (allowCreateStr.equals(SAML2Constants.FALSE))))
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster allowCreate = new Boolean(allowCreateStr).booleanValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Boolean val = getAttrValueFromMap(spConfigAttrsMap,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.ALLOWCREATE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (val != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster allowCreate = val.booleanValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate:AllowCreate:"+ allowCreate);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return allowCreate;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper private static boolean includeRequestedAuthnContext(Map paramsMap, Map spConfigAttrsMap) {
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper // Default to true if this flag is not found to be backwards compatible.
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper boolean result = true;
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper // Check the parameters first in case the request wants to override the metadata value.
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper Boolean val = getAttrValueFromMap(paramsMap, SAML2Constants.INCLUDE_REQUESTED_AUTHN_CONTEXT);
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper if (val != null) {
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper result = val;
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper } else {
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper val = getAttrValueFromMap(spConfigAttrsMap, SAML2Constants.INCLUDE_REQUESTED_AUTHN_CONTEXT);
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper if (val != null) {
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper result = val;
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper }
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper }
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper if (SAML2Utils.debug.messageEnabled()) {
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper SAML2Utils.debug.message("SPSSOFederate:includeRequestedAuthnContext:" + result);
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper }
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper return result;
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper }
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /* Returns the AssertionConsumerServiceURL Index */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static Integer getIndex(Map paramsMap,String attrName) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Integer attrIndex = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String index = getParameter(paramsMap,attrName);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((index != null) && (index.length() > 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrIndex = new Integer(index);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return attrIndex;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings /**
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Gets the query parameter value for the param specified.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param paramsMap the map of parameters
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param attrName the parameter name to get the value for
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @return the string value for the given parameter
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static String getParameter(Map paramsMap,String attrName) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attrVal = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((paramsMap != null) && (!paramsMap.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List attrValList = (List)paramsMap.get(attrName);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (attrValList != null && !attrValList.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrVal = (String) attrValList.iterator().next();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return attrVal;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings /**
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Gets the extensions list for the sp entity.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings *
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param entityID the entity of the id for get the extensions list for
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param realm the realm that the entity is configured in
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @return a List ofd the extensions for the sso request
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings */
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings public static List getExtensionsList(String entityID,String realm) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List extensionsList = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster EntityDescriptorElement ed = sm.getEntityDescriptor(realm,entityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (ed != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster com.sun.identity.saml2.jaxb.metadata.ExtensionsType ext =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ed.getExtensions();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (ext != null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster extensionsList = ext.getAny();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (SAML2Exception e) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPSSOFederate:Error retrieving " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "EntityDescriptor");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return extensionsList;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static com.sun.identity.saml2.protocol.Extensions
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster createExtensions(List extensionsList) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster com.sun.identity.saml2.protocol.Extensions extensions=null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (extensionsList != null && !extensionsList.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster extensions =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ProtocolFactory.getInstance().createExtensions();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster extensions.setAny(extensionsList);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return extensions;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings /**
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Gets the Relay State ID for the request.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings *
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param relayState the relay state
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param requestID the request id
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @return the relay state id
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static String getRelayStateID(String relayState, String requestID) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPCache.relayStateHash.put(requestID, new CacheObject(relayState));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // sessionExpireTime is counted in seconds
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper long sessionExpireTime = System.currentTimeMillis() / 1000 + SPCache.interval;
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper // Need to make the key unique due to the requestID also being used to
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper // store a copy of the AuthnRequestInfo
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper String key = requestID + requestID;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(key, relayState, sessionExpireTime);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2Utils.debug.message("SPSSOFederate.getRelayStateID: SAVE relayState for requestID "
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper + key);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper } catch (SAML2TokenRepositoryException se) {
80849398a45dca1fb917716907d6ec99be6222c2Peter Major SAML2Utils.debug.error("SPSSOFederate.getRelayStateID: Unable to SAVE relayState for requestID "
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper + key, se);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return requestID;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /* Creates RequestedAuthnContext Object */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static RequestedAuthnContext createReqAuthnContext(String realmName,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String spEntityID,Map paramsMap,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map spConfigMap) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster RequestedAuthnContext reqCtx = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String className = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((spConfigMap != null) && (!spConfigMap.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List listVal =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (List) spConfigMap.get(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.SP_AUTHCONTEXT_MAPPER);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (listVal != null && listVal.size() != 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster className = ((String) listVal.iterator().next()).trim();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPAuthnContextMapper spAuthnContextMapper =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.getSPAuthnContextMapper(realmName,spEntityID,className);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster try {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster reqCtx =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spAuthnContextMapper.getRequestedAuthnContext(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster realmName,spEntityID,paramsMap);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } catch (SAML2Exception e) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate:Error creating " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "RequestedAuthnContext",e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return reqCtx;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings /**
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Signs the query string.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings *
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param queryString the query string
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param certAlias the certificate alias
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @return the signed query string
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @throws SAML2Exception
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings */
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings public static String signQueryString(final String queryString, final String certAlias)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SAML2Utils.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate:queryString:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + queryString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate: certAlias :"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + certAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster KeyProvider kp = KeyUtil.getKeyProviderInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster PrivateKey privateKey = kp.getPrivateKey(certAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return QuerySignatureUtil.sign(queryString,privateKey);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings /**
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Sign an authentication request.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings *
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param certAlias the certificate alias
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param authnRequest the authentication request to sign
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @throws SAML2Exception the signed authentication request
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings */
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings public static void signAuthnRequest(final String certAlias,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings final AuthnRequest authnRequest) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster KeyProvider kp = KeyUtil.getKeyProviderInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (kp == null) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPSSOFederate:signAuthnRequest: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Unable to get a key provider instance.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nullKeyProvider"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnRequest.sign(kp.getPrivateKey(certAlias),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster kp.getX509Certificate(certAlias));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster }
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster}